Association mining extracts common relationships among a finite number of categorical data objects in a set of transactions. However, if the data objects are not categorical and potentially unlimited, it is impossible to employ the association mining approach. On the other hand, clustering is suitable for modeling a large number of non-categorical data objects as long as there exists a distance measure among them. Although it has been used to classify data objects in a data set into groups of similar objects based on data similarity, it can be used to extract the properties of similar data objects commonly appearing in a set of transactions. In this paper, a new clustering method, CLOCK, is proposed to find common knowledge such as frequent ranges of similar objects in a set of transactions. The common knowledge of data objects in the transactions can be represented by the occurrence frequency of similar data objects in terms of a transaction as well as the common repetitive ratio of similar data objects in each transaction. Furthermore, the proposed method also addresses how to maintain identified common knowledge as a summarized profile. As a result, any data difference between a newly collected transaction and the common knowledge of past transactions can be easily identified.

For detecting the anomalous behavior of a user effectively, most researches have concentrated on statistical techniques. However, since statistical techniques mainly analyze the average behavior of a user's activities, some anomalies can be detected inaccurately. In addition, it is difficult to model intermittent activities performed periodically. In order to model the normal behavior of a user closely, a set of various features can be employed. Given an activity of a user, the values of those features that are related to the activity represent the behavior of the activity. Furthermore, activities performed in a session of a user can be regarded as a semantically atomic transaction. Although it is possible to apply clustering technique to these values to extract the normal behavior of a user, most of conventional clustering algorithms do not consider any transactional boundary in a data set. In this paper, a transaction-based clustering algorithm for modeling the normal behavior of a user is proposed. Based on the activities of the past transactions, a set of clusters for each feature can be found to represent the normal behavior of a user as a concise profile. As a result, any anomalous behavior in an online transaction of the user can be effectively detected based on the profile of the user.